Is there an API to query for SIP Protected Paths ?

Is there an API to query for SIP Protected Paths … ?

No.

Intent is to mute those paths or a subset for an ES client

That seems like a reasonable use case. If you’d like to something for this added in the future, I encourage you to file an enhancement request describing these specific requirements.

IMPORTANT Make sure to file this against ES, rather than ask for a general ‘is this file SIP protected?’ API.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

You can determine if a path is protected by SIP by checking the "com.apple.rootless" extended attribute. However, this can be misleading as the attribute doesn't exist for subfolders:

xattr /System/
com.apple.rootless

xattr /System/Library/
<nothing>

Additionally, some protected files and folders cannot be read at all, and there's no way to check for this. As example /private/var/db/KernelExtensionManagement

Created feedback request FB13702329 (API query for SIP Protected Paths) to track this.

@Dmytro_cpp : I was looking at https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip which suggests looking at "/System/Library/Sandbox/rootless.conf" to figure out SIP protected areas.

But not sure if format of conf file is defined somewhere & might be subject to change in future releases

Dmytro_cpp wrote:

You can determine if a path is protected by SIP by checking the com.apple.rootless extended attribute.

That is an implementation detail, not API.

ameydalvi wrote:

Created feedback request FB13702329

Thanks!

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"